MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' of github.com:MISP/misp-galaxy

pull/804/head
Christian Studer 2022-11-23 19:47:31 +01:00
parent 648b35d445 5c979ae554
commit bea58d5843
31 changed files with 22778 additions and 20236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
README.md
View File

@ -18,15 +18,30 @@ The objective is to have a comment set of clusters for organizations starting an
to localized information (which is not shared) or additional information (that can be shared).
# Available Galaxy - clusters
## 360.net Threat Actors
[360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net.
Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements
[[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)]
## Android
[Android](https://www.misp-project.org/galaxy.html#_android) - Android malware galaxy based on multiple open sources.
Category: *tool* - source: *Open Sources* - total: *430* elements
Category: *tool* - source: *Open Sources* - total: *431* elements
[[HTML](https://www.misp-project.org/galaxy.html#_android)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/android.json)]
## Azure Threat Research Matrix
[Azure Threat Research Matrix](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix) - The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.
Category: *atrm* - source: *https://github.com/microsoft/Azure-Threat-Research-Matrix* - total: *89* elements
[[HTML](https://www.misp-project.org/galaxy.html#_azure_threat_research_matrix)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/atrm.json)]
## attck4fraud
[attck4fraud](https://www.misp-project.org/galaxy.html#_attck4fraud) - attck4fraud - Principles of MITRE ATT&CK in the fraud domain
@ -39,7 +54,7 @@ Category: *guidelines* - source: *Open Sources* - total: *31* elements
[Backdoor](https://www.misp-project.org/galaxy.html#_backdoor) - A list of backdoor malware.
Category: *tool* - source: *Open Sources* - total: *11* elements
Category: *tool* - source: *Open Sources* - total: *12* elements
[[HTML](https://www.misp-project.org/galaxy.html#_backdoor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/backdoor.json)]
@ -63,7 +78,7 @@ Category: *mobile* - source: *https://arxiv.org/pdf/2005.05110.pdf* - total: *47
[Botnet](https://www.misp-project.org/galaxy.html#_botnet) - botnet galaxy
Category: *tool* - source: *MISP Project* - total: *71* elements
Category: *tool* - source: *MISP Project* - total: *73* elements
[[HTML](https://www.misp-project.org/galaxy.html#_botnet)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/botnet.json)]
@ -111,7 +126,7 @@ Category: *country* - source: *MISP Project* - total: *252* elements
[Cryptominers](https://www.misp-project.org/galaxy.html#_cryptominers) - A list of cryptominer and cryptojacker malware.
Category: *Cryptominers* - source: *Open Source Intelligence* - total: *2* elements
Category: *Cryptominers* - source: *Open Source Intelligence* - total: *4* elements
[[HTML](https://www.misp-project.org/galaxy.html#_cryptominers)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/cryptominers.json)]
@ -135,7 +150,7 @@ Category: *tool* - source: *MISP Project* - total: *52* elements
[Malpedia](https://www.misp-project.org/galaxy.html#_malpedia) - Malware galaxy cluster based on Malpedia.
Category: *tool* - source: *Malpedia* - total: *2194* elements
Category: *tool* - source: *Malpedia* - total: *2462* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malpedia)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/malpedia.json)]
@ -143,7 +158,7 @@ Category: *tool* - source: *Malpedia* - total: *2194* elements
[Microsoft Activity Group actor](https://www.misp-project.org/galaxy.html#_microsoft_activity_group_actor) - Activity groups as described by Microsoft
Category: *actor* - source: *MISP Project* - total: *15* elements
Category: *actor* - source: *MISP Project* - total: *14* elements
[[HTML](https://www.misp-project.org/galaxy.html#_microsoft_activity_group_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/microsoft-activity-group.json)]
@ -159,7 +174,7 @@ Category: *misinformation-pattern* - source: *https://github.com/misinfosecproje
[Attack Pattern](https://www.misp-project.org/galaxy.html#_attack_pattern) - ATT&CK tactic
Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *991* elements
Category: *attack-pattern* - source: *https://github.com/mitre/cti* - total: *1003* elements
[[HTML](https://www.misp-project.org/galaxy.html#_attack_pattern)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-attack-pattern.json)]
@ -263,7 +278,7 @@ Category: *attack-pattern* - source: *https://collaborate.mitre.org/attackics/in
[Intrusion Set](https://www.misp-project.org/galaxy.html#_intrusion_set) - Name of ATT&CK Group
Category: *actor* - source: *https://github.com/mitre/cti* - total: *134* elements
Category: *actor* - source: *https://github.com/mitre/cti* - total: *138* elements
[[HTML](https://www.misp-project.org/galaxy.html#_intrusion_set)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-intrusion-set.json)]
@ -271,7 +286,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *134* elemen
[Malware](https://www.misp-project.org/galaxy.html#_malware) - Name of ATT&CK software
Category: *tool* - source: *https://github.com/mitre/cti* - total: *565* elements
Category: *tool* - source: *https://github.com/mitre/cti* - total: *598* elements
[[HTML](https://www.misp-project.org/galaxy.html#_malware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-malware.json)]
@ -335,7 +350,7 @@ Category: *actor* - source: *https://github.com/mitre/cti* - total: *7* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - Name of ATT&CK software
Category: *tool* - source: *https://github.com/mitre/cti* - total: *74* elements
Category: *tool* - source: *https://github.com/mitre/cti* - total: *80* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/mitre-tool.json)]
@ -359,7 +374,7 @@ Category: *measure* - source: *MISP Project* - total: *20* elements
[Ransomware](https://www.misp-project.org/galaxy.html#_ransomware) - Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar
Category: *tool* - source: *Various* - total: *1608* elements
Category: *tool* - source: *Various* - total: *1610* elements
[[HTML](https://www.misp-project.org/galaxy.html#_ransomware)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/ransomware.json)]
@ -423,7 +438,7 @@ Category: *tool* - source: *Open Sources* - total: *6* elements
[Surveillance Vendor](https://www.misp-project.org/galaxy.html#_surveillance_vendor) - List of vendors selling surveillance technologies including malware, interception devices or computer exploitation services.
Category: *actor* - source: *MISP Project* - total: *14* elements
Category: *actor* - source: *MISP Project* - total: *15* elements
[[HTML](https://www.misp-project.org/galaxy.html#_surveillance_vendor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/surveillance-vendor.json)]
@ -455,7 +470,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements
[Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Category: *actor* - source: *MISP Project* - total: *379* elements
Category: *actor* - source: *MISP Project* - total: *397* elements
[[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]
@ -463,11 +478,10 @@ Category: *actor* - source: *MISP Project* - total: *379* elements
[Tool](https://www.misp-project.org/galaxy.html#_tool) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.
Category: *tool* - source: *MISP Project* - total: *533* elements
Category: *tool* - source: *MISP Project* - total: *537* elements
[[HTML](https://www.misp-project.org/galaxy.html#_tool)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/tool.json)]
# Online documentation
A [readable PDF overview of the MISP galaxy is available](https://www.misp.software/galaxy.pdf) or [HTML](https://www.misp.software/galaxy.html) and generated from the JSON.

880
clusters/360net.json Normal file
View File

@ -0,0 +1,880 @@
{
"authors": [
"360.net"
],
"category": "actor",
"description": "Known or estimated adversary groups as identified by 360.net.",
"name": "360.net Threat Actors",
"source": "https://apt.360.net/aptlist",
"type": "360net-threat-actor",
"uuid": "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
"values": [
{
"description": "美国中央情报局英语Central Intelligence Agency总部位于美国弗吉尼亚州的兰利。与苏联国家安全委员会克格勃、英国军情六处和以色列摩萨德并称为“世界四大情报机构”。\n其主要任务是公开和秘密地收集和分析关于国外政府、公司、恐怖组织、个人、政治、文化、科技等方面的情报协调其它国内情报机构的活动并把这些情报报告到美国政府各个部门的工作。",
"meta": {
"country": "america",
"refs": [
"https://apt.360.net/report/apts/12.html",
"https://apt.360.net/report/apts/96.html"
],
"suspected-victims": [
"中国"
],
"synonyms": [
"Lamberts",
"longhorn"
],
"target-category": [
"媒体通讯",
"工业科研",
"航空航天等重要机构"
]
},
"uuid": "988e1441-0350-5c39-979d-b0ca99c8d20b",
"value": "CIA - APT-C-39"
},
{
"description": "海莲花OceanLotusAPT团伙是一个高度组织化的、专业化的境外国家级黑客组织其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。",
"meta": {
"country": "vietnam",
"refs": [
"https://apt.360.net/report/apts/94.html",
"https://apt.360.net/report/apts/1.html",
"https://apt.360.net/report/apts/93.html"
],
"suspected-victims": [
"中国",
"越南"
],
"synonyms": [
"OceanLotus"
],
"target-category": [
"政府",
"科研"
]
},
"uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb",
"value": "海莲花 - APT-C-00"
},
{
"description": "摩诃草组织APT-C-09又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork是一个来自于南亚地区的境外APT组织该组织已持续活跃了7年。摩诃草组织最早由Norman安全公司于2013年曝光随后又有其他安全厂商持续追踪并披露该组织的最新活动。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月至今还非常活跃。在针对中国地区的攻击中该组织主要针对政府机构、科研教育领域进行攻击其中以科研教育领域为主。",
"meta": {
"country": "india",
"refs": [
"https://apt.360.net/report/apts/110.html",
"https://apt.360.net/report/apts/6.html"
],
"suspected-victims": [
"中国及中国驻外大使馆"
],
"synonyms": [
"HangOver",
"VICEROY TIGER",
"The Dropping Elephant",
"Patchwork"
],
"target-category": [
"外交军事",
"关键制造基础设施",
"政府金融等重要机构"
]
},
"uuid": "231a81cd-4e24-590b-b084-1a4715b30d67",
"value": "摩诃草 - APT-C-09"
},
{
"description": "从2014年11月起至今黄金鼠组织APT-C-27对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/26.html",
"https://apt.360.net/report/apts/100.html",
"https://apt.360.net/report/apts/98.html"
],
"suspected-victims": [
"叙利亚"
],
"synonyms": [],
"target-category": [
"军事",
"政府"
]
},
"uuid": "b3b6f113-fe2c-5d75-ba41-b333ce726f4a",
"value": "黄金鼠 - APT-C-27"
},
{
"description": "Lazarus组织是来自朝鲜的APT组织该组织长期对韩国、美国、中国、印度等国家进行渗透攻击此外还对全球的金融机构进行攻击堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。",
"meta": {
"country": "korea",
"refs": [
"https://apt.360.net/report/apts/9.html",
"https://apt.360.net/report/apts/90.html",
"https://apt.360.net/report/apts/101.html"
],
"suspected-victims": [
"中国",
"韩国",
"美国",
"印度等国家"
],
"synonyms": [
"APT38"
],
"target-category": [
"工业科研",
"外交外贸",
"媒体金融",
"核设施"
]
},
"uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce",
"value": "Lazarus - APT-C-26"
},
{
"description": "黄金雕组织的活动主要影响中亚地区大部分集中在哈萨克坦国境内攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击同时也采购了HackingTeam、NSO Group等网络军火商的武器具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性将该组织命名为黄金雕APT-C-34",
"meta": {
"country": "kaz",
"refs": [
"https://apt.360.net/report/apts/11.html"
],
"synonyms": []
},
"uuid": "03e70e52-ec27-5961-bb53-d4c8c737addc",
"value": "黄金雕 - APT-C-34"
},
{
"description": "从2018年4月起至今一个疑似来自南美洲的APT组织盲眼鹰APT-C-36针对哥伦比亚政府机构和大型公司金融、石油、制造等行业等重要领域展开了有组织、有计划、针对性的长期不间断攻击。",
"meta": {
"country": "namerica",
"refs": [
"https://apt.360.net/report/apts/83.html"
],
"synonyms": []
},
"uuid": "c111ae65-f889-56b0-b266-f54342977da5",
"value": "盲眼鹰 - APT-C-36"
},
{
"description": "2018年11月25日360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动攻击目标则指向俄罗斯总统办公室所属的医疗机构此次攻击行动使用了Flash 0day漏洞cve-2018-15982和Hacking Team的RCS后门程序结合被攻击目标医疗机构的职能特色360将此次APT攻击命名为“毒针”行动。",
"meta": {
"country": "kaz",
"refs": [
"https://apt.360.net/report/apts/10.html"
],
"suspected-victims": [
"俄罗斯"
],
"synonyms": [],
"target-category": [
"政府"
]
},
"uuid": "5ae4eb64-5431-5b5c-987b-891e7ab5858c",
"value": "毒针 - APT-C-31"
},
{
"description": "2016年7月360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马入侵成功后攻击者可以完全控制用户手机并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字所以我们将该组织命名为“ArmaRat”。",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/48.html"
],
"suspected-victims": [
"伊朗"
],
"synonyms": [],
"target-category": [
"政府"
]
},
"uuid": "e66dfa3d-3295-503c-bdea-64d88e2b310d",
"value": "ArmaRat - APT-C-33"
},
{
"description": "从2015年7月起至今军刀狮组织APT-C-38在中东地区展开了有组织、有计划、针对性的不间断攻击其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人另Windows端RAT包含的PDB路径下出现多次的“Saber”而亚洲狮为该中东国家的代表动物结合该组织的一些其它特点以及360对 APT 组织的命名规则我们将该组织命名为军刀狮APT-C-38。",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/30.html"
],
"suspected-victims": [
"中东地区"
],
"synonyms": [],
"target-category": [
"政府"
]
},
"uuid": "671197ae-ba70-5a81-90a5-1ba5e2ad6f76",
"value": "军刀狮 - APT-C-38"
},
{
"description": "拍拍熊组织APT-C-37针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击其攻击平台为Windows和Android。",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/103.html",
"https://apt.360.net/report/apts/28.html"
],
"suspected-victims": [
"ISIS"
],
"synonyms": [],
"target-category": [
"军事",
"政府"
]
},
"uuid": "74f08d5a-e94d-53cb-bdd7-31d2f8c8db2b",
"value": "拍拍熊 - APT-C-37"
},
{
"description": "APT-C-15是一个来自于中东地区的境外APT组织。 APT-C-15组织主要针对埃及,以色列等中东地区进行网络间谍活动,以窃取敏感信息为主。 活跃时间主要集中在2014年6月到2015年11月期间相关攻击活动最早可以追溯到2011年12月。主要采用利用社交网络进行水坑攻击。",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/8.html"
],
"suspected-victims": [
"埃及",
"以色列"
],
"synonyms": [],
"target-category": [
"政府"
]
},
"uuid": "55177506-57bf-503e-8a24-9ed06bd28f16",
"value": "人面狮 - APT-C-15"
},
{
"description": "美人鱼组织APT-C-07来自于中东的境外APT组织已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/4.html"
],
"suspected-victims": [
"丹麦"
],
"synonyms": [],
"target-category": [
"政府",
"外交"
]
},
"uuid": "51954972-101b-5213-971c-b335ceb810ea",
"value": "美人鱼 - APT-C-07"
},
{
"description": "2016年1月起至今双尾蝎组织对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括 Windows 与 Android攻击范围主要为中东地区",
"meta": {
"country": "mideast",
"refs": [
"https://apt.360.net/report/apts/27.html"
],
"suspected-victims": [
"巴勒斯坦",
"中国等驻外大使馆"
],
"synonyms": [],
"target-category": [
"政府",
"IT",
"军事",
"教育"
]
},
"uuid": "ce0bcfbd-9924-5c82-9ad3-845db745e7f7",
"value": "双尾蝎 - APT-C-23"
},
{
"description": "从2011年开始持续至今高级攻击组织蓝宝菇APT-C-12对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。",
"meta": {
"country": "taiwan",
"refs": [
"https://apt.360.net/report/apts/7.html"
],
"suspected-victims": [
"中国"
],
"synonyms": [
"核危机行动Operation NuclearCrisis"
],
"target-category": [
"政府",
"航空航天、教育",
"军事"
]
},
"uuid": "7094494b-a91b-532f-9968-082fa683bfc4",
"value": "蓝宝菇 - APT-C-12"
},
{
"description": "从2007年开始至今360追日团队发现毒云藤组织对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达数十年的网络间谍活动。该组织主要关注军工、中美关系、两岸关系和海洋相关领域。",
"meta": {
"country": "taiwan",
"refs": [
"https://apt.360.net/report/apts/2.html"
],
"suspected-victims": [
"中国"
],
"synonyms": [
"穷奇",
"白海豚",
"绿斑"
],
"target-category": [
"政府",
"科研",
"国防",
"海事机构等重要机构"
]
},
"uuid": "98df38d1-f83c-5c28-ad11-75aa6b493fe7",
"value": "毒云藤 - APT-C-01"
},
{
"description": "DarkhotelAPT-C-06组织是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织并声明该组织至少从2010年就已经开始活跃目标基本锁定在韩国、中国、俄罗斯和日本。",
"meta": {
"country": "southKorea",
"refs": [
"https://apt.360.net/report/apts/3.html",
"https://apt.360.net/report/apts/97.html"
],
"suspected-victims": [
"中国",
"日本",
"俄罗斯",
"朝鲜半岛"
],
"synonyms": [
"Luder",
"Karba",
"Tapaoux",
"Dubnium",
"SIG25"
],
"target-category": [
"军事",
"外贸外交",
"工业能源",
"科研等重要机构"
]
},
"uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe",
"value": "Darkhotel - APT-C-06"
},
{
"description": "APT28(APT-C-20)又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关该组织相关攻击时间最早可以追溯到2007年。其主要目标包括国防工业、军队、政府组织和媒体",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/120.html",
"https://apt.360.net/report/apts/72.html"
],
"suspected-victims": [
"美国",
"欧洲",
"乌克兰"
],
"synonyms": [
"Pawn Storm",
"Sofacy Group",
"Sednit",
"Fancy Bear",
"STRONTIUM"
],
"target-category": [
"媒体",
"国防工业",
"政府",
"军事等重要机构"
]
},
"uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd",
"value": "奇幻熊 - APT-C-20"
},
{
"description": "沙虫组织的主要目标领域有政府、教育、能源机构和电信运营商进一步主要针对欧美国家政府、北约以及乌克兰政府展开间谍活动其攻击在2018年呈上升趋势。该组织经常利用鱼叉式网络钓鱼方法。",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/69.html",
"https://apt.360.net/report/apts/87.html"
],
"suspected-victims": [
"欧美国家",
"乌克兰",
"北约"
],
"synonyms": [
"SandWorm"
],
"target-category": [
"政府",
"教育",
"能源机构",
"电信运营商"
]
},
"uuid": "0fdab65b-3e2b-5fd8-be36-cc18c7bcc1d7",
"value": "沙虫 - APT-C-13"
},
{
"description": "肚脑虫组织APT-C-35是一个来自于印度的境外APT组织该组织已持续活跃了3年。 肚脑虫组织主要针对巴基斯坦,南亚等国家地区进行网络间谍活动,以窃取敏感信息为主。 相关攻击活动最早可以追溯到2016年至今还非常活跃。",
"meta": {
"country": "india",
"refs": [
"https://apt.360.net/report/apts/102.html",
"https://apt.360.net/report/apts/32.html"
],
"suspected-victims": [
"巴基斯坦等南亚国家"
],
"synonyms": [
"donot"
],
"target-category": [
"政府"
]
},
"uuid": "7592ce56-59df-5cbc-9251-6928ff23e6a5",
"value": "肚脑虫 - APT-C-35"
},
{
"description": "蔓灵花组织利用鱼叉邮件以及系统漏洞等方式主要攻击政府、电力和工业相关单位以窃取敏感信息为主。国外样本最早出现在2013年11月样本编译时间集中出现在2015年7月至2016年9月期间2016年网络安全公司Forcepoint最早报告了这一组织随后被多次发现至今还非常活跃。",
"meta": {
"country": "india",
"refs": [
"https://apt.360.net/report/apts/5.html"
],
"suspected-victims": [
"中国",
"巴基斯坦"
],
"synonyms": [],
"target-category": [
"工业",
"电力",
"政府"
]
},
"uuid": "4d76da10-0bfe-51d4-b071-61593c8f1983",
"value": "蔓灵花 - APT-C-08"
},
{
"description": "索伦之眼组织APT-C-16又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年至今还非常活跃。该组织整个攻击过程中是高度隐蔽且针对性极强对特定目标采用定制的恶意程序或通信设施不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式Equation媲美其综合能力不弱于震网Stuxnet、火焰Flame等APT组织。",
"meta": {
"country": "america",
"refs": [
"https://apt.360.net/report/apts/70.html"
],
"suspected-victims": [
"中国",
"俄罗斯",
"比利时",
"瑞典"
],
"synonyms": [
"Sauron",
"Strider"
],
"target-category": [
"军事",
"外交",
"政府等重要机构"
]
},
"uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf",
"value": "索伦之眼 - APT-C-16"
},
{
"description": "潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位攻击最早可以关联追溯到2009年最早的样本编译时间为2008年攻击活动一直持续至今。",
"meta": {
"country": "southeast",
"refs": [
"https://apt.360.net/report/apts/82.html"
],
"suspected-victims": [
"中国及东南亚"
],
"synonyms": [],
"target-category": [
"政府",
"外交",
"通讯",
"智库"
]
},
"uuid": "4a2a754b-e59b-5f31-b9ca-1d0f920185b2",
"value": "潜行者 - APT-C-30"
},
{
"description": "“响尾蛇”APT组织又名T-APT-04疑似来自印度其最早活跃时间可追溯到2012年主要针对巴基斯坦等南亚国家的军事目标进行定向攻击。",
"meta": {
"country": "india",
"refs": [
"https://apt.360.net/report/apts/92.html"
],
"suspected-victims": [
"巴基斯坦"
],
"synonyms": [
"SideWinder"
],
"target-category": [
"政府",
"军事"
]
},
"uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b",
"value": "响尾蛇 - APT-C-24"
},
{
"description": "APT-C-28组织又名ScarCruft、APT37 Reaper、Group123是一个来自于东北亚地区的境外APT组织其相关攻击活动最早可追溯到2012年且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。",
"meta": {
"country": "korea",
"refs": [
"https://apt.360.net/report/apts/79.html"
],
"suspected-victims": [
"俄罗斯",
"中国等周边国家"
],
"synonyms": [
"APT37Reaper",
"Group123"
],
"target-category": [
"政府",
"媒体"
]
},
"uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d",
"value": "ScarCruft - APT-C-28"
},
{
"description": "Turla组织的主要目标有外交、政治、私企攻击目标遍布全球其中以欧洲地区为主国内也有中招用户。在攻击手法上是俄罗斯网军中技术实力很强的主力部队曾经有过攻击卫星的历史。",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/88.html",
"https://apt.360.net/report/apts/81.html"
],
"suspected-victims": [
"中国",
"俄罗斯",
"驻欧美国家外交机关"
],
"synonyms": [
"uroburos"
],
"target-category": [
"外交",
"金融",
"工业"
]
},
"uuid": "1972273e-2152-558c-b575-222c6d2f3e10",
"value": "Turla - APT-C-29"
},
{
"description": "Carbanak(即Anunak)攻击组织是一个跨国网络犯罪团伙。2013年起该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击目前相关攻击活动还很活跃。",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/68.html"
],
"suspected-victims": [
"全球"
],
"synonyms": [
"Anunak"
],
"target-category": [
"外贸",
"金融"
]
},
"uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200",
"value": "Carbanak - APT-C-11"
},
{
"description": "“飞鲨”行动相关攻击行动最早可以追溯到2013年1月持续活跃到2014年3月主要针对中国航空航天领域目的是窃取目标用户敏感数据信息近期暂无监控到相关攻击事件。",
"meta": {
"country": "india",
"refs": [
"https://apt.360.net/report/apts/71.html"
],
"suspected-victims": [
"中国"
],
"synonyms": [],
"target-category": [
"基础设施",
"IT",
"教育",
"科研",
"航空航天"
]
},
"uuid": "c47e631c-a3d7-509b-a87f-a7e87f8fab6c",
"value": "飞鲨 - APT-C-17"
},
{
"description": "APT-C-40(方程式)是史上最强网络犯罪组织。该团伙已活跃近20年并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织并被认为是著名的震网Stuxnet和火焰Flame病毒幕后的操纵者。",
"meta": {
"country": "america",
"refs": [
"https://apt.360.net/report/apts/85.html"
],
"suspected-victims": [
"中国",
"俄罗斯",
"伊朗",
"巴基斯坦"
],
"synonyms": [],
"target-category": [
"关键制",
"工业科研",
"航空航天",
"政府军事等重要机构"
]
},
"uuid": "54034021-1998-5ddf-93e7-f1f56d172f99",
"value": "方程式 - APT-C-40"
},
{
"description": "透明部落Transparent Tribe别名APT36、ProjectM、C-Major是一个具有南亚背景的APT组织其长期针对周边国家和地区特别是印度的政治、军事进行定向攻击活动其开发有自己的专属木马CrimsonRAT还曾被发现广泛传播USB蠕虫。TransparentTribe也曾经对Donot的恶意文档宏代码进行模仿两者高度相似。之前透明部落也曾经模仿响尾蛇组织进行攻击。其一直针对印度的政府、公共部门、各行各业包括但不限于医疗、电力、金融、制造业等进行攻击和信息窥探。",
"meta": {
"country": "southeast",
"refs": [],
"suspected-victims": [
"印度"
],
"synonyms": [
"APT36",
"ProjectM",
"C-Major"
],
"target-category": [
"政府",
"军事"
]
},
"uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e",
"value": "透明部落 - APT-C-56"
},
{
"description": "在2020年起我们发现南亚地区中新的境外APT组织活动最早活跃可追溯到2020年1月至今还很活跃。该APT组织的攻击活动主要针对巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域进行攻击。与南亚地区中活跃的蔓灵花、响尾蛇等APT组织暂无关联属于新的攻击组织。\n该APT组织通过鱼叉邮件配合社会工程学手段进行渗透向目标设备传播恶意程序暗中控制目标设备持续窃取设备上的敏感文件。由于其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务且使用的木马为python语言编写所以我们将其命名为腾云蛇编号为APT-C-61。",
"meta": {
"country": "southeast",
"refs": [],
"suspected-victims": [
"巴基斯坦",
"孟加拉"
],
"synonyms": [],
"target-category": [
"政府",
"军事",
"科研",
"国防"
]
},
"uuid": "724da0c4-ca9e-54be-a15c-8204472d8c99",
"value": "腾云蛇 - APT-C-61"
},
{
"description": "Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等最早由Kaspersky在2013年披露该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击在过去几年里他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。",
"meta": {
"country": "korea",
"refs": [],
"suspected-victims": [
"韩国"
],
"synonyms": [],
"target-category": [
"政府",
"教育",
"外交",
"媒体"
]
},
"uuid": "84e18657-3995-5837-88f1-f823520382a8",
"value": "Kimsuky - APT-C-55"
},
{
"description": "2019年初国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动根据相关报告分析该组织的攻击活动至少可以追溯到2014年曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击。",
"meta": {
"country": "Ukraine",
"refs": [
"https://apt.360.net/report/apts/169.html"
],
"suspected-victims": [
"乌克兰"
],
"synonyms": [
"APT-C-46"
],
"target-category": [
"政府"
]
},
"uuid": "a97037e7-7c3b-5cc2-ab4c-bd0432bc247a",
"value": "卢甘斯克组织 - APT-C-46"
},
{
"description": "360 安全大脑检测到多起 ClickOnce 恶意程序的攻击活动,通过 360 高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露 APT 组织的攻击行动,该组织的攻击活动最早可以追溯到 2018 年。目前没有任何安全厂商公开披露该组织的攻击活动360根据用ClickOnce 攻击技术的谐音,将其命名为“旺刺”组织。",
"meta": {
"country": "korea",
"refs": [
"https://apt.360.net/report/apts/168.html"
],
"suspected-victims": [
"中国",
"朝鲜半岛"
],
"synonyms": [
"APT-C-47"
],
"target-category": [
"商贸机构"
]
},
"uuid": "0660d5e2-f8cf-5d5e-95c8-e5af7115979e",
"value": "旺刺组织 - APT-C-47"
},
{
"description": "Domestic Kitten组织APT-C-50最早被国外安全厂商披露自2016年以来一直在进行广泛而有针对性的攻击攻击目标包括伊朗内部持不同政见者和反对派力量以及ISIS的拥护者和主要定居在伊朗西部的库尔德少数民族。值得注意的是所有攻击目标都是伊朗公民。伊斯兰革命卫队IRGC、情报部、内政部等伊朗政府机构可能为该组织提供支持",
"meta": {
"country": "Iran",
"refs": [
"https://apt.360.net/report/apts/166.html"
],
"suspected-victims": [
"伊朗",
"阿富汗",
"伊拉克",
"英国"
],
"synonyms": [
"APT-C-50"
],
"target-category": [
"政府"
]
},
"uuid": "a6636926-ffe4-5974-9be0-34ab5dcbd59f",
"value": "DomesticKitten - APT-C-50"
},
{
"description": "APT-C-32",
"meta": {
"country": "Israel",
"refs": [],
"synonyms": []
},
"uuid": "bf77827a-e0f1-504f-815c-4bccfe72b644",
"value": "SandCat - APT-C-32"
},
{
"description": "APT-C-48",
"meta": {
"country": "india",
"refs": [],
"suspected-victims": [
"中国"
],
"synonyms": [],
"target-category": [
"教育",
"军事"
]
},
"uuid": "34d75138-389f-5555-85e9-f3ca5a9cce8f",
"value": "APT_CNC - APT-C-48"
},
{
"description": "蓝色魔眼APT-C-41又被称为Promethium、StrongPity该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。360安全大脑监测到该组织在2020年1月首次针对中国进行了攻击活动并捕获到了该组织最新V4版本的攻击组件。经过360高级威胁研究院的深入分析研判此次攻击的针对性极强是该组织罕见地针对我国相关重要机构发起的首起定向攻击行动。由于是首次捕获和披露该组织对我国的攻击我们为其分配了新的编号APT-C-41并根据该组织活跃地区的文化特色将其命名为“蓝色魔眼”。",
"meta": {
"country": "trq",
"refs": [
"https://apt.360.net/report/apts/158.html"
],
"suspected-victims": [
"欧洲",
"意大利",
"土耳其",
"比利时",
"叙利亚"
],
"synonyms": [
"StrongPity"
],
"target-category": [
"基础设施"
]
},
"uuid": "75122408-5db4-5ac2-a156-88a8f149e738",
"value": "蓝色魔眼 - APT-C-41"
},
{
"description": "Machete",
"meta": {
"country": "namerica",
"refs": [
"https://apt.360.net/report/apts/159.html"
],
"synonyms": [
"Machete"
]
},
"uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30",
"value": "Machete - APT-C-43"
},
{
"description": "APT-C-53",
"meta": {
"country": "russia",
"refs": [],
"synonyms": []
},
"uuid": "ca52d879-f02b-531e-89ff-817ffc23ce35",
"value": "Gamaredon - APT-C-53"
},
{
"description": "360烽火实验室联合360高级威胁研究院发现一起针对阿拉伯语地区的长达三年的多次网络攻击活动。该攻击活动自2017年10月开始至今攻击平台主要为Windows和Android。通过分析我们发现此次攻击活动来自阿尔及利亚主要利用钓鱼网站和第三方文件托管网站进行载荷投递并且使用社交媒体进行传播受害者主要分布在阿拉伯语地区其中包含疑似具有军事背景的相关人员。根据此次攻击活动的伪装对象和攻击目标我们认为该组织目的是为了获取情报先机。根据该组织所属国家的地理位置以及其他特点我们将其命名为北非狐APT-C-44。",
"meta": {
"country": "algeria",
"refs": [
"https://apt.360.net/report/apts/157.html"
],
"synonyms": []
},
"uuid": "367bfb72-da65-5886-a333-389299470722",
"value": "北非狐 - APT-C-44"
},
{
"description": "WellMess组织是一个一直未被业界认定的APT组织多方面数据显示该组织在2017至2019年间的攻击活动开始频繁活跃其中日本互联网应急响应中心于2018年曾报道过该组织的相关攻击活动但并未将其归属为APT组织。\n\n在2019年360高级威胁研究院捕获发现了WellMess组织一系列的APT攻击活动这一系列的攻击活动最早开始于2017年12月一直持续到2019年12月。在对WellMess组织的攻击研判过程中我们确定这是一个具备自身独特攻击特点和精密攻击技战术的APT组织为其分配了APT-C-42的专属APT组织编号。",
"meta": {
"country": "russia",
"refs": [
"https://apt.360.net/report/apts/136.html"
],
"synonyms": [],
"target-category": [
"IT通信行业"
]
},
"uuid": "6560f0cf-bbbd-5bb7-8dad-b4c8ea23704f",
"value": "WellMess - APT-C-42"
}
],
"version": 1
}

1183
clusters/atrm.json Normal file
View File

File diff suppressed because it is too large Load Diff

10
clusters/backdoor.json
View File

@ -135,6 +135,14 @@
"refs": [
"https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike",
"https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/"
],
"synonyms": [
"BEERBOT",
"KEGTAP",
"Team9Backdoor",
"bazaloader",
"bazarloader",
"bazaarloader"
]
},
"uuid": "1523a693-5d90-4da1-86d2-b5d22317820d",
@ -187,5 +195,5 @@
"value": "BPFDoor"
}
],
"version": 12
"version": 13
}

8
clusters/banker.json
View File

@ -890,7 +890,11 @@
"refs": [
"https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/",
"https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/",
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html"
"http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [
"BokBot"
]
},
"related": [
@ -1193,5 +1197,5 @@
"value": "Dark Tequila"
}
],
"version": 16
"version": 17
}

113
clusters/botnet.json
View File

@ -1291,7 +1291,118 @@
},
"uuid": "3e40c1af-51f5-4b02-b189-74567125c6e0",
"value": "Ripprbot"
},
{
"description": "In mid-March [2022], FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.\n\nThis botnet is mainly derived from Gafgyts source code but has been observed to borrow several modules from Mirais original source code.\n\nIt uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.\n\nEnemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported iRZ router vulnerability to infect more devices.",
"meta": {
"refs": [
"https://www.securonix.com/blog/detecting-the-enemybot-botnet-advisory/",
"https://malpedia.caad.fkie.fraunhofer.de/details/elf.enemybot",
"https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet",
"https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers"
]
},
"related": [
{
"dest-uuid": "262d18be-7cab-46c2-bcb0-47fff17604aa",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "40795af6-b721-11e8-9fcb-570c0b384135",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "a5a067c9-c4d7-4f33-8e6f-01b903f89908",
"value": "EnemyBot"
},
{
"description": "Discovered in 2008 and under constant development, with gaps in operational use in the wild; operators are occasionally known as GOLD LAGOON. Banking Trojan, steals financial data, browser information/hooks, keystrokes, credentials; described by CheckPoint as a “Swiss Army knife”. Known to leverage many other tools; for example, PowerShell and Mimikatz are used for self-propagation. Attempts obfuscation via legitimate process injection. Known to serve as a dropper for ProLock ransomware. Infection vectors are common, with malspam as the most frequent. Active in 2020 two big campaigns, one from March to June, second Starting in July and ongoing, as part of latest Emotet campaign. Newer version appeared in August.",
"meta": {
"refs": [
"https://www.cisa.gov/sites/default/files/publications/202010221030_QakBot%20TLPWHITE.pdf",
"https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
"https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/"
],
"synonyms": [
"QakBot",
"Pinkslipbot"
]
},
"related": [
{
"dest-uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "dropped"
},
{
"dest-uuid": "9db5f425-fe49-4137-8598-840e7290ed0f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
"value": "Qbot"
},
{
"description": "This malware is characterized by alternative DNS connections and connects to several *.lib domains using custom DNS servers.",
"meta": {
"refs": [
"https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
]
},
"related": [
{
"dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "variant-of"
}
],
"uuid": "505c6a54-a701-4a4b-85d4-0f2038b7b46a",
"value": "Dark.IoT"
},
{
"description": "Akamai Security Research has observed a new golang malware which they named KmsdBot. The malware scans for open SSH ports and performs a simple dictionary attack against it. The researchers from Akamai monitored only DDoS activity, but discovered also the functionality to launch cryptomining. The malware has varied targets including the gaming industry, technology industry, and luxury car manufacturers.",
"meta": {
"refs": [
"https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware"
]
},
"uuid": "b6919400-9b16-48ae-8379-fab26a506e32",
"value": "KmsdBot"
}
],
"version": 25
"version": 30
}

12
clusters/cryptominers.json
View File

@ -62,7 +62,17 @@
},
"uuid": "a0c0ab05-c390-425c-9311-f64bf7ca9145",
"value": "Krane"
},
{
"description": "“Hezb”, which is based on command line artifact data, was observed around Kinsing. This malware is relatively new and was recently reported in late May exploiting WSO2 RCE (CVE-2022-29464) in the wild. Several malware components were observed, the first of which was an XMRig miner installed as “Hezb”. Additional modules included a polkit exploit for privilege escalation as well as a zero-detection ELF payload named “kik”.",
"meta": {
"refs": [
"https://www.lacework.com/blog/kinsing-dark-iot-botnet-among-threats-targeting-cve-2022-26134/"
]
},
"uuid": "428bbf01-7756-48a2-848d-6bca3997f1df",
"value": "Hezb"
}
],
"version": 2
"version": 3
}

6
clusters/handicap.json
View File

@ -5,9 +5,9 @@
],
"category": "med-bdm-it",
"description": "Liste des maladies invalidantes reconnues comme handicap",
"name": "handicap",
"name": "Handicap",
"source": "MDPH /caf",
"type": "Handicap",
"type": "handicap",
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c7777",
"values": [
{
@ -272,5 +272,5 @@
"value": "Tumeur maligne"
}
],
"version": 1
"version": 2
}

24193
clusters/malpedia.json
View File

File diff suppressed because it is too large Load Diff

32
clusters/microsoft-activity-group.json
View File

@ -205,38 +205,6 @@
"uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d",
"value": "ZIRCONIUM"
},
{
"description": "This threat actor uses social engineering and spear phishing to target military and defense organizations in India, for the purpose of espionage.",
"meta": {
"cfr-suspected-state-sponsor": "Pakistan",
"cfr-suspected-victims": [
"India"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
],
"synonyms": [
"C-Major",
"Transparent Tribe"
]
},
"related": [
{
"dest-uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2a410eea-a9da-11e8-b404-37b7060746c8",
"value": "https://www.cfr.org/interactive/cyber-operations/mythic-leopard"
},
{
"description": "Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, were encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.\nTo compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.\nThis activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.",
"meta": {

2393
clusters/mitre-attack-pattern.json
View File

File diff suppressed because it is too large Load Diff

367
clusters/mitre-course-of-action.json
View File

@ -331,13 +331,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44",
"tags": [
@ -415,13 +408,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "bed04f7d-e48a-4e76-bd0f-4c57fe31fc46",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb",
"tags": [
@ -534,13 +520,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf",
"tags": [
@ -1155,6 +1134,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "06780952-177c-4247-b978-79c357fb311f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345",
"tags": [
@ -1386,6 +1372,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b",
"tags": [
@ -1568,13 +1561,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "d10cbd34-42e3-45c0-84d2-535a09849584",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253",
"tags": [
@ -2520,13 +2506,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d",
"tags": [
@ -2541,13 +2520,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53",
"tags": [
@ -2660,13 +2632,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a9e2cea0-c805-4bf8-9e31-f5f0513a3634",
"tags": [
@ -2681,13 +2646,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4",
"tags": [
@ -2751,13 +2709,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "eb2cb5cb-ae87-4de0-8c35-da2a17aafb99",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a",
"tags": [
@ -4037,7 +3988,7 @@
"value": "Remote Access Tools Mitigation - T1219"
},
{
"description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Multi-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.",
"description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.",
"meta": {
"external_id": "T1133",
"refs": [
@ -5223,6 +5174,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "73c26732-6422-4081-8b63-6d0ae93d449e",
"tags": [
@ -5237,27 +5195,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "7d20fff9-8751-404e-badd-ccd71bda0236",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "8252f135-ed26-4ce1-ae61-f26e94429a19",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "acd0ba37-7ba9-4cc5-ac61-796586cd856d",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6",
"tags": [
@ -5448,13 +5385,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"tags": [
@ -6199,7 +6129,15 @@
"https://attack.mitre.org/mitigations/T1150"
]
},
"related": [],
"related": [
{
"dest-uuid": "06780952-177c-4247-b978-79c357fb311f",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "2d704e56-e689-4011-b989-bf4e025a8727",
"value": "Plist Modification Mitigation - T1150"
},
@ -6411,13 +6349,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f",
"tags": [
@ -6446,13 +6377,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7",
"tags": [
@ -6467,6 +6391,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529",
"tags": [
@ -6593,6 +6524,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "6636bc83-0611-45a6-b74f-1f3daf635b8e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf",
"tags": [
@ -6614,13 +6552,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4",
"tags": [
@ -6663,13 +6594,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db",
"tags": [
@ -6768,13 +6692,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "a1b52199-c8c5-438a-9ded-656f1d0888c6",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c",
"tags": [
@ -6817,13 +6734,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc",
"tags": [
@ -7006,13 +6916,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "f8ef3a62-3f44-40a4-abca-761ab235c436",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335",
"tags": [
@ -7247,13 +7150,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427",
"tags": [
@ -7338,13 +7234,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "d456de47-a16f-4e46-8980-e67478a12dcb",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87",
"tags": [
@ -8251,13 +8140,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "d50955c2-272d-4ac8-95da-10c29dda1c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48",
"tags": [
@ -8515,13 +8397,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e",
"tags": [
@ -8571,13 +8446,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f",
"tags": [
@ -8864,13 +8732,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2",
"tags": [
@ -9230,13 +9091,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd",
"tags": [
@ -9411,13 +9265,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "59ff91cd-1430-4075-8563-e6f15f4f9ff5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e",
"tags": [
@ -10304,7 +10151,15 @@
"https://support.apple.com/en-us/HT204005"
]
},
"related": [],
"related": [
{
"dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
}
],
"uuid": "06824aa2-94a5-474c-97f6-57c2e983d885",
"value": "Login Item Mitigation - T1162"
},
@ -11016,13 +10871,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "7decb26c-715c-40cf-b7e0-026f7d7cc215",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "8a2f40cf-8325-47f9-96e4-b1ca4c7389bd",
"tags": [
@ -11037,13 +10885,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b",
"tags": [
@ -12549,13 +12390,6 @@
]
},
"related": [
{
"dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "0ad7bc5c-235a-4048-944b-3b286676cb74",
"tags": [
@ -12668,13 +12502,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "791481f8-e96a-41be-b089-a088763083d4",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566",
"tags": [
@ -12987,6 +12814,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
"tags": [
@ -13015,6 +12849,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "6747daa2-3533-4e78-8fb8-446ebb86448a",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300",
"tags": [
@ -13085,13 +12926,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d",
"tags": [
@ -13635,13 +13469,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "d50955c2-272d-4ac8-95da-10c29dda1c48",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24",
"tags": [
@ -13670,13 +13497,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "fc74ba38-dc98-461f-8611-b3dbf9978e3d",
"tags": [
@ -14657,13 +14477,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "106c0cf6-bf73-4601-9aa8-0945c2715ec5",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "10ff21b9-5a01-4268-a1b5-3b55015f1847",
"tags": [
@ -14678,13 +14491,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61",
"tags": [
@ -15739,13 +15545,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "bed04f7d-e48a-4e76-bd0f-4c57fe31fc46",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "c071d8c1-3b3a-4f22-9407-ca4e96921069",
"tags": [
@ -16142,13 +15941,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286",
"tags": [
@ -16191,13 +15983,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "379809f6-2fac-42c1-bd2e-e9dee70b27f8",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8",
"tags": [
@ -16254,13 +16039,6 @@
],
"type": "mitigates"
},
{
"dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe",
"tags": [
@ -16303,6 +16081,13 @@
],
"type": "mitigates"
},
{
"dest-uuid": "6636bc83-0611-45a6-b74f-1f3daf635b8e",
"tags": [
"estimative-language:likelihood-probability=\"almost-certain\""
],
"type": "mitigates"
},
{
"dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b",
"tags": [
@ -16567,5 +16352,5 @@
"value": "Audit - M1047"
}
],
"version": 22
"version": 24
}

14
clusters/mitre-enterprise-attack-intrusion-set.json
View File

@ -1215,13 +1215,6 @@
],
"type": "similar"
},
{
"dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"tags": [
@ -1414,13 +1407,6 @@
],
"type": "similar"
},
{
"dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"tags": [

3088
clusters/mitre-intrusion-set.json
View File

File diff suppressed because it is too large Load Diff

5685
clusters/mitre-malware.json
View File

File diff suppressed because it is too large Load Diff

1129
clusters/mitre-tool.json
View File

File diff suppressed because it is too large Load Diff

366
clusters/ransomware.json
View File

@ -2250,7 +2250,7 @@
"https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html",
"https://twitter.com/JakubKroustek/status/825790584971472902"
],
"synonyns": [
"synonyms": [
"XCrypt"
]
},
@ -14017,7 +14017,8 @@
".Clop2"
],
"refs": [
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf"
"https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
]
},
"uuid": "21b349c3-ede2-4e11-abda-1444eb272eff",
@ -14176,6 +14177,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
},
{
"dest-uuid": "4245e4cd-a57a-4e0b-9853-acaa549d495d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "42148074-196b-4f8c-b149-12163fc385fa",
@ -14324,6 +14332,10 @@
{
"description": "LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force.\nAfter gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.",
"meta": {
"extensions": [
".abcd",
".LockBit"
],
"ransomnotes-filenames": [
"Restore-My-Files.txt"
],
@ -14333,6 +14345,9 @@
"refs": [
"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/",
"https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware"
],
"synonyms": [
"ABCD ransomware"
]
},
"uuid": "8eda8bf1-db5a-412d-8511-45e2f7621d51",
@ -14376,6 +14391,9 @@
"https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/",
"https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/",
"https://darksidedxcftmqa.onion.foundation/"
],
"synonyms": [
"BlackMatter"
]
},
"uuid": "f514a46e-53ff-4f07-b75a-aed289cf221f",
@ -21647,7 +21665,64 @@
"value": "MBR-ONI"
},
{
"description": "ransomware",
"description": "Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.",
"meta": {
"extensions": [
".1btc",
".matlock20",
".marlock02",
".readinstructions",
".bec",
".mylock",
".jpz.nz",
".marlock11",
".cn",
".NET1",
".key1",
".fileslocked",
".datalock",
".NZ",
".lock",
".lockfilesUS",
".deadfilesgr",
".tyco",
".lockdata7",
".rs",
".faratak",
".uslockhh",
".lockfiles",
".fileslock",
".zoomzoom",
".perfection",
".marlock13",
"n.exe",
".Readinstruction",
".marlock08",
".marlock25",
"nt_lock20",
".READINSTRUCTION",
".marlock6",
".marlock01",
".ReadInstructions"
],
"ransomnotes-filenames": [
"how_to_ recover_data.html",
"how_to_recover_data.html.marlock01",
"instructions.html",
"READINSTRUCTION.html",
"!!!HOW_TO_DECRYPT!!!",
"How_to_recovery.txt",
"readinstructions.html",
"readme_to_recover_files",
"recovery_instructions.html",
"HOW_TO_RECOVER_DATA.html",
"recovery_instruction.html"
],
"refs": [
"https://www.cisa.gov/uscert/ncas/alerts/aa22-181a",
"https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf"
]
},
"uuid": "627d603a-906f-4fbf-b922-f03eea4578fe",
"value": "MedusaLocker"
},
@ -22083,6 +22158,15 @@
},
{
"description": "ransomware",
"related": [
{
"dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "dropped-by"
}
],
"uuid": "c4417bfb-717f-48d9-bd56-bc9e85d07c19",
"value": "ProLock"
},
@ -23538,6 +23622,20 @@
},
{
"description": "ransomware",
"meta": {
"refs": [
"https://howtofix.guide/ransom-mountlocket/"
]
},
"related": [
{
"dest-uuid": "0ca6ac54-ad2b-4945-9580-ac90e702fd2c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "7513650c-ba09-49bf-b011-d2974c7ae023",
"value": "Mountlocket"
},
@ -23577,7 +23675,7 @@
"value": "Leakthemall"
},
{
"description": "ransomware",
"description": "Conti ransomware is a RaaS and has been observed encrypting networks since mid-2020.\nConti was developed by the “TrickBot” group, an organized Russian cybercriminal operation. Their reputation has allowed the group to create a strong brand name, attracting many affiliates which has made Conti one of the most widespread ransomware strains in the world.\nOne of the last known “Conti” attacks was against the government of Costa Rica in April 2022 causing the country to declare a state of emergency.\nShortly after this final attack, the “Conti” brand disappeared. The group behind it likely switched to a different brand to avoid sanctions and start over with a new, clean reputation.",
"meta": {
"attribution-confidence": "100",
"country": "RU",
@ -23588,9 +23686,34 @@
"All of your files are currently encrypted by CONTI ransomware."
],
"refs": [
"https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti"
"https://www.cyber.gov.au/acsc/view-all-content/advisories/2021-010-acsc-ransomware-profile-conti",
"https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines"
]
},
"related": [
{
"dest-uuid": "0ca6ac54-ad2b-4945-9580-ac90e702fd2c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "parent-of"
},
{
"dest-uuid": "9db5f425-fe49-4137-8598-840e7290ed0f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "parent-of"
},
{
"dest-uuid": "1c43524e-0f2e-4468-b6b6-8a37f1d0ea87",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "parent-of"
}
],
"uuid": "201eff54-d41e-4f70-916c-5dfb9301730a",
"value": "Conti"
},
@ -23824,7 +23947,10 @@
{
"description": "ransomware",
"meta": {
"date": "November 2020"
"date": "November 2020",
"synonyms": [
"FiveHands"
]
},
"uuid": "022c995a-f1ba-498f-b67e-92ef01fd06a3",
"value": "HelloKitty"
@ -24478,7 +24604,233 @@
},
"uuid": "bb6d933f-7b6d-4694-853d-1ca400f6bd8f",
"value": "Rook"
},
{
"description": "HelloXD is a ransomware family performing double extortion attacks that surfaced in November 2021. During our research we observed multiple variants impacting Windows and Linux systems. Unlike other ransomware groups, this ransomware family doesnt have an active leak site; instead it prefers to direct the impacted victim to negotiations through TOX chat and onion-based messenger instances.",
"meta": {
"date": "Nov. 30, 2021",
"extensions": [
"hello"
],
"ransomnotes-filenames": [
"Hello.txt"
],
"ransomnotes-refs": [
"https://unit42.paloaltonetworks.com/wp-content/uploads/2022/06/image13.png"
],
"refs": [
"https://unit42.paloaltonetworks.com/helloxd-ransomware/"
]
},
"uuid": "5617e6fa-4e6a-4011-9385-6b1165786563",
"value": "HelloXD"
},
{
"description": "Maui ransomware stand out because of a lack of several key features commonly seen with tooling from RaaS providers, such as an embedded ransom note to provide recovery instructions or automated means of transmitting encryption keys to attackers. Instead, it is believed that Maui is manually operated, in which operators will specify which files to encrypt when executing it and then exfiltrate the resulting runtime artifacts. There are many aspects to Maui ransomware that are unknown, including usage context.",
"meta": {
"refs": [
"https://stairwell.com/wp-content/uploads/2022/07/Stairwell-Threat-Report-Maui-Ransomware.pdf",
"https://www.cisa.gov/uscert/ncas/alerts/aa22-187a"
]
},
"uuid": "995c3772-dbda-4a2a-9e28-c47740d599a3",
"value": "Maui ransomware"
},
{
"description": "Lorenz is a ransomware group that has been active since at least February 2021 and like many ransomware groups, performs double-extortion by exfiltrating data before encrypting systems.",
"meta": {
"ransomnotes-refs": [
"https://marvel-b1-cdn.bc0a.com/f00000000241276/arcticwolf.com/wp-content/uploads/2022/09/Screen-Shot-2022-09-12-at-11.18.04-AM-1024x246.png"
],
"refs": [
"https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/"
]
},
"uuid": "d513199e-7f21-43fd-9610-ed708c3f6409",
"value": "Lorenz Ransomware"
},
{
"description": "First observed in June 2021, Hive ransomware was originally written in GoLang but recently, new Hive variants have been seen written in Rust. Targets Healthcare sector.",
"meta": {
"ransomnotes": [
"Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:v \n http://hive[REDACTED].onion/\n \n Login: [REDACTED]\n Password: [REDACTED]\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not modify, rename or delete *.key.abc12 files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed.",
"Your network has been breached and all data were encrypted.\nPersonal data, financial reports and important documents are ready to disclose.\n\n To decrypt all the data and to prevent exfiltrated files to be disclosed at \nhttp://hive[REDACTED].onion/\nyou will need to purchase our decryption software.\n \nPlease contact our sales department at:\n \n http://hive[REDACTED].onion/\n \n Login: test_hive_username\n Password: test_hive_password\n \nTo get an access to .onion websites download and install Tor Browser at:\n https://www.torproject.org/ (Tor Browser is not related to us)\n \n \nFollow the guidelines below to avoid losing your data:\n \n- Do not delete or reinstall VMs. There will be nothing to decrypt.\n- Do not modify, rename or delete *.key files. Your data will be \n undecryptable.\n- Do not modify or rename encrypted files. You will lose them.\n- Do not report to the Police, FBI, etc. They don't care about your business.\n They simply won't allow you to pay. As a result you will lose everything.\n- Do not hire a recovery company. They can't decrypt without the key. \n They also don't care about your business. They believe that they are \n good negotiators, but it is not. They usually fail. So speak for yourself.\n- Do not reject to purchase. Exfiltrated files will be publicly disclosed"
],
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.hive",
"https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf",
"https://www.sentinelone.com/labs/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/",
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive",
"https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/",
"https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf",
"https://www.varonis.com/blog/hive-ransomware-analysis"
]
},
"uuid": "8ce915d3-8c6d-4841-b509-18379d7a8999",
"value": "Hive"
},
{
"description": "",
"meta": {
"ransomnotes-refs": [
"https://www.guidepointsecurity.com/wp-content/uploads/2021/04/Anonymized-Ransom-Note-1-1024x655.png"
],
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker",
"https://securityscorecard.pathfactory.com/research/quantum-ransomware",
"https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/",
"https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/",
"https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html",
"https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates",
"https://github.com/Finch4/Malware-Analysis-Reports/tree/master/MountLocker",
"https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines",
"https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/",
"https://www.cybereason.com/blog/cybereason-vs.-quantum-locker-ransomware",
"https://thedfirreport.com/2022/04/25/quantum-ransomware/"
],
"synonyms": [
"Quantum",
"Mount Locker",
"DagonLocker"
]
},
"related": [
{
"dest-uuid": "7513650c-ba09-49bf-b011-d2974c7ae023",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "201eff54-d41e-4f70-916c-5dfb9301730a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "successor-of"
}
],
"uuid": "0ca6ac54-ad2b-4945-9580-ac90e702fd2c",
"value": "QuantumLocker"
},
{
"description": "Black Basta is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.",
"meta": {
"extensions": [
".basta"
],
"ransomnotes": [
"Your data are stolen and encrypted\nThe data will be published on TOR website if you do not pay the ransom\nYou can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) https://aazsbsgya565y1u2c6Lay6yfiebkcbtvvcytyolt33s77xypi7nypxyd.onion/ \n\nYour company id for log in: [REDACTED]"
],
"ransomnotes-files": [
"readme.txt"
],
"ransomnotes-refs": [
"https://www.bleepstatic.com/images/news/ransomware/b/black-basta/wallpaper.jpg",
"https://www.bleepstatic.com/images/news/ransomware/b/black-basta/ransom-note.jpg",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/e/examining-the-black-basta-ransomwares-infection-routine/blackbasta07PII.PNG",
"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/e/examining-the-black-basta-ransomwares-infection-routine/blackbasta08PII.PNG"
],
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta",
"https://www.bleepingcomputer.com/news/security/american-dental-association-hit-by-new-black-basta-ransomware/",
"https://www.bleepingcomputer.com/news/security/new-black-basta-ransomware-springs-into-action-with-a-dozen-breaches/",
"https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html",
"https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape",
"https://securityintelligence.com/posts/black-basta-ransomware-group-besting-network/",
"https://www.avertium.com/resources/threat-reports/in-depth-look-at-black-basta-ransomware",
"https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/",
"https://gbhackers.com/black-basta-ransomware/",
"https://www.trendmicro.com/en_us/research/22/f/black-basta-ransomware-operators-expand-their-attack-arsenal-wit.html",
"https://securelist.com/luna-black-basta-ransomware/106950/",
"https://securityscorecard.com/research/a-deep-dive-into-black-basta-ransomware",
"https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/",
"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbasta",
"https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/",
"https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/",
"https://www.cynet.com/blog/orion-threat-alert-qakbot-ttps-arsenal-and-the-black-basta-ransomware/",
"https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html"
]
},
"related": [
{
"dest-uuid": "201eff54-d41e-4f70-916c-5dfb9301730a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "successor-of"
},
{
"dest-uuid": "421a3805-7741-4315-82c2-6c9aa30d0953",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
}
],
"uuid": "9db5f425-fe49-4137-8598-840e7290ed0f",
"value": "BlackBasta"
},
{
"description": "Ransomware",
"related": [
{
"dest-uuid": "201eff54-d41e-4f70-916c-5dfb9301730a",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "successor-of"
}
],
"uuid": "1c43524e-0f2e-4468-b6b6-8a37f1d0ea87",
"value": "BlackByte"
},
{
"description": "Ransomware",
"uuid": "549c9766-b45d-4d14-86e8-e6a74d69d067",
"value": "RedAlert"
},
{
"description": "Ransomware",
"uuid": "00638cb0-d8c5-46c2-9c57-39d93d5bfa36",
"value": "Cheerscrypt"
},
{
"description": "Ransomware",
"uuid": "b4d24c48-c2f7-4ae7-a708-8b321b98075a",
"value": "GwisinLocker"
},
{
"description": "Ransomware",
"uuid": "2950977b-59bb-464a-8dd8-21728887f72f",
"value": "Luna Ransomware"
},
{
"description": "Ransomware",
"uuid": "73d3d8f8-83cc-4fdc-a645-d03b9a7b5a9b",
"value": "AvosLocker"
},
{
"description": "Ransomware",
"uuid": "fec32bbf-c4f8-499d-8e2a-743bcdd071e7",
"value": "PLAY Ransomware"
},
{
"description": "Ransomware",
"uuid": "1d8cadb9-501c-493e-b89b-b5574ed3f722",
"value": "Qyick Ransomware"
},
{
"description": "Ransomware",
"uuid": "9796a1a4-b2d7-4e68-bfb4-57093fd32fef",
"value": "Agenda Ransomware"
},
{
"description": "Ransomware",
"uuid": "a7623a1b-4551-4e5a-a622-2b91dea16b42",
"value": "Karakurt"
}
],
"version": 101
"version": 110
}

27
clusters/rat.json
View File

@ -1941,7 +1941,8 @@
"date": "2005 or 2008",
"refs": [
"https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX"
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX",
"https://secjoes-reports.s3.eu-central-1.amazonaws.com/Dissecting+PlugX+to+Extract+Its+Crown+Jewels.pdf"
],
"synonyms": [
"Korplug",
@ -2692,10 +2693,16 @@
"value": "Revenge-RAT"
},
{
"description": "“Vengeance Justice Worm” was first discovered in 2016 and is a highly multifunctional, modular, publicly available “commodity malware”, i.e., it can be purchased by those interested through various cybercrime and hacking related forums and channels.\n\nVJwOrm is a JavaScript-based malware and combines characteristics of Worm, Information Stealer, Remote-Access Trojan (RAT), Denial-of-Service (DOS) malware, and spam-bot.\n\nVJw0rm is propagated primarily by malicious email attachments and by infecting removeable storage devices.\n\nOnce executed by the victim, the very heavily obfuscated VJw0rm will enumerate installed drives and, if a removeable drive is found, VJwOrm will infect it if configured to do so.\n\nIt will continue to gather victim information such as operating system details, users details, installed anti-virus product details, stored browser cookies, the presence of vbc.exe on the system (Microsofts .NET Visual Basic Compiler, this indicates that .NET is installed on the system and can affect the actors choice of additional malware delivery), and whether the system has been previously infected.\n\nVJw0rm will then report this information back to its command-and-control server and await further commands, such as downloading and executing additional malware or employing any of its other numerous capabilities.\n\nFinally, VJw0rm establishes persistency in the form of registry auto-runs, system startup folders, a scheduled-task, or any combination of these methods.",
"meta": {
"date": "2016",
"refs": [
"https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en"
],
"synonym": [
"Vengeance Justice Worm",
"VJw0rm",
"VJwOrm"
]
},
"uuid": "bf86d7a6-80af-4d22-a092-f822bf7201d2",
@ -3215,6 +3222,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "3c1003a2-8364-467a-b9b8-fcc19724a9b5",
@ -3480,9 +3494,14 @@
"description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildmas modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.",
"meta": {
"refs": [
"https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil"
"https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil",
"https://www.securityweek.com/extensive-living-land-hides-stealthy-malware-campaign",
"https://isc.sans.edu/diary/rss/28962",
"https://otx.alienvault.com/pulse/6303804723bccc7e3caad737?utm_userid=alexandre.dulaunoy@circl.lu&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed"
],
"synonyms": []
"synonyms": [
"Astaroth"
]
},
"uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867",
"value": "Guildma"
@ -3531,5 +3550,5 @@
"value": "Ragnatela"
}
],
"version": 38
"version": 42
}

47
clusters/sector.json
View File

@ -106,6 +106,11 @@
"value": "Environment"
},
{
"meta": {
"synonyms": [
"Financial"
]
},
"uuid": "75597b7f-54e8-4f14-88c9-e81485ece483",
"value": "Finance"
},
@ -122,10 +127,21 @@
"value": "Gas"
},
{
"meta": {
"synonyms": [
"Government",
"Administration"
]
},
"uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f",
"value": "Government, Administration"
},
{
"meta": {
"synonyms": [
"Healthcare"
]
},
"uuid": "4649fe79-cb8f-4aa3-b3e0-e67d4161fcb0",
"value": "Health"
},
@ -182,6 +198,12 @@
"value": "Multi-sector"
},
{
"meta": {
"synonyms": [
"News",
"Media"
]
},
"uuid": "a0499041-2b4e-43aa-8fe3-04c2de23abdd",
"value": "News - Media"
},
@ -198,6 +220,11 @@
"value": "Payment"
},
{
"meta": {
"synonyms": [
"Pharmaceutical"
]
},
"uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84",
"value": "Pharmacy"
},
@ -230,6 +257,11 @@
"value": "Steel"
},
{
"meta": {
"synonyms": [
"Telecommunications"
]
},
"uuid": "0de938bd-4efa-4c7a-9244-71a79317d142",
"value": "Telecoms"
},
@ -242,6 +274,11 @@
"value": "Trade"
},
{
"meta": {
"synonyms": [
"Transportation"
]
},
"uuid": "e93eb8db-72b1-4407-be3e-8cfea8f9efee",
"value": "Transport"
},
@ -326,6 +363,11 @@
"value": "Restaurant"
},
{
"meta": {
"synonyms": [
"Semiconductor"
]
},
"uuid": "5b9bb2f4-3e03-46b9-ab65-a7f99b726a32",
"value": "Semi-conductors"
},
@ -350,6 +392,11 @@
"value": "Construction"
},
{
"meta": {
"synonyms": [
"ICS"
]
},
"uuid": "3153215a-784d-478e-a147-3410a5b43b39",
"value": "Industrial"
},

80
clusters/stealer.json
View File

@ -88,7 +88,85 @@
},
"uuid": "ebc1c15d-3e27-456e-9473-61d92d91bda8",
"value": "HackBoss"
},
{
"description": "Prynt Stealer is an information stealer that has the ability to capture credentials that are stored on a compromised system including web browsers, VPN/FTP clients, as well as messaging and gaming applications. Its developer based the malware code on open source projects including AsyncRAT and StormKitty. Prynt Stealer uses Telegram to exfiltrate data that is stolen from victims. Its author added a backdoor Telegram channel to collect the information stolen by other criminals.",
"meta": {
"refs": [
"https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed"
]
},
"related": [
{
"dest-uuid": "46bff4ad-09fe-4ac5-803e-daa3b73e3aaf",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "d410b534-07a4-4190-b253-f6616934bea6",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "variant-of"
}
],
"uuid": "8f5a452a-4056-4004-bc9a-4c11cb8cf2b4",
"value": "Prynt Stealer"
},
{
"description": "Nearly identical to Prynt Stealer with a few differences. DarkEye is not sold or mentioned publicly, however, it is bundled as a backdoor with a “free” Prynt Stealer builder.",
"meta": {
"refs": [
"https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed"
]
},
"related": [
{
"dest-uuid": "8f5a452a-4056-4004-bc9a-4c11cb8cf2b4",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "d410b534-07a4-4190-b253-f6616934bea6",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "variant-of"
}
],
"uuid": "46bff4ad-09fe-4ac5-803e-daa3b73e3aaf",
"value": "DarkEye"
},
{
"description": "Prynt Stealer variant that appear to be written by the same author. It is nearly identical to Prynt Stealer with a few minor differences. While Prynt Stealer is the most popular brand name for selling the malware, WorldWind payloads are the most commonly observed in-the-wild. ",
"meta": {
"refs": [
"https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed"
]
},
"related": [
{
"dest-uuid": "8f5a452a-4056-4004-bc9a-4c11cb8cf2b4",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "variant-of"
},
{
"dest-uuid": "46bff4ad-09fe-4ac5-803e-daa3b73e3aaf",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "variant-of"
}
],
"uuid": "d410b534-07a4-4190-b253-f6616934bea6",
"value": "WorldWind"
}
],
"version": 8
"version": 9
}

2832
clusters/threat-actor.json
View File

File diff suppressed because it is too large Load Diff

204
clusters/tool.json
View File

@ -414,6 +414,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "790cc0e7-4132-4e41-9b6c-11ff757400c0",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "a860d257-4a39-47ec-9230-94cac67ebf7e",
@ -2637,7 +2644,7 @@
},
"related": [
{
"dest-uuid": "94466a80-964f-467e-b4b3-0e1375174464",
"dest-uuid": "11775f11-03a0-4ba8-932f-c125dfb66e35",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
@ -3527,6 +3534,15 @@
"Backdoor"
]
},
"related": [
{
"dest-uuid": "ee7f535d-cc3e-40f3-99f3-c97963cfa250",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "15949ecb-1f2b-4f59-9cf7-5751694e8fba",
"value": "darkcomet"
},
@ -8484,7 +8500,191 @@
},
"uuid": "f43a3828-a3b6-11ec-80e1-55a8e5815c2c",
"value": "BadPotato"
},
{
"description": "A simple RAT used by Vicious Panda",
"meta": {
"refs": [
"https://securelist.com/microcin-is-here/97353",
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign"
],
"synonyms": [
"Mikroceen"
],
"type": [
"RAT"
]
},
"related": [
{
"dest-uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717",
"type": "used-by"
}
],
"uuid": "7d17dabf-a68e-4eda-a18f-26868ced8e73",
"value": "Microcin"
},
{
"description": "The Esile campaign was named after certain strings found in the unpacked malware file that it sends out. All of the malware related to this campaign are detected as BKDR_ESILE variants.",
"meta": {
"refs": [
"https://www.trendmicro.com/vinfo/de/security/news/cyber-attacks/esile-targeted-attack-campaign-hits-apac-governments",
"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/esile"
],
"synonyms": [
"BKDR_ESILE"
]
},
"related": [
{
"dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "7d34ca56-ce69-465f-b8c8-ffd02c4b619d",
"value": "Esile"
},
{
"description": "MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email (Figure 2). Based on our intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID. Mandiant attributes the MOUSEISLAND distribution of PHOTOLOADER and other payloads to UNC2420, a distribution threat cluster created by Mandiants Threat Pursuit team. UNC2420 activity shares overlaps with the publicly reported nomenclature of “Shathak” or “TA551”.",
"meta": {
"refs": [
"https://www.mandiant.com/resources/blog/melting-unc2198-icedid-to-ransomware-operations"
]
},
"uuid": "2bea2cc9-c1cc-453d-a483-541b895867d1",
"value": "MOUSEISLAND"
},
{
"description": "GootLoader is a malware loader historically associated with the GootKit malware. As its developers updated its capabilities, GootLoader has evolved from a loader downloading a malicious payload into a multi-payload malware platform. As a loader malware, GootLoader is usually the first-stage of a system compromise. By leveraging search engine poisoning, GootLoaders developers may compromise or create websites that rank highly in search engine results, such as Google search results. How is it delivered? Via Malicious files available for download on compromised websites that rank high as search engine results",
"meta": {
"refs": [
"https://www.cyber.nj.gov/alerts-advisories/gootloader-malware-platform-uses-sophisticated-techniques-to-deliver-malware",
"https://blogs.blackberry.com/en/2022/07/gootloader-from-seo-poisoning-to-multi-stage-downloader"
]
},
"uuid": "0bdb6f1c-1229-4556-a535-7444ddfbd7a9",
"value": "GootLoader"
},
{
"description": "BumbleBee is a modular backdoor that comprises two applications, a server and a client application (a master and slaver application, respectively in the malwares jargon). Once the client application is deployed on the target computer (these are commonly local government devices), threat actors can control the machine using the server module. Let us take a deeper look into this backdoor.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"type": [
"backdoor"
]
},
"related": [
{
"dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "related-to"
}
],
"uuid": "6fc4beee-b922-4d25-833d-8fb574a3c56e",
"value": "BumbleBee"
},
{
"description": "Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Benign in itself, but used by threat actors.",
"meta": {
"refs": [
"https://github.com/jpillora/chisel"
]
},
"uuid": "f493dede-9134-44db-a00d-aa4866bfd555",
"value": "Chisel"
},
{
"description": "SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications",
"meta": {
"refs": [
"https://github.com/antonioCoco/SharPyShell"
]
},
"uuid": "e10ff67f-8b52-4648-9217-da53ff7d52f9",
"value": "SharPyShell"
},
{
"description": "Raspberry Robin has evolved from being a widely distributed worm with no observed post-infection actions when Red Canary first reported it in May 2022, to one of the largest malware distribution platforms currently active. ",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"type": [
"Worm"
]
},
"uuid": "70dc3e92-9b3b-4fc1-abd2-d98985d83225",
"value": "Raspberry Robin"
},
{
"description": "The Fauppod malware delivers a JavaScript backdoor to gain unauthorized access to the target system and deploy additional malware.",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
]
},
"uuid": "9f0224f6-dd46-4a23-a3fd-d295abae5f93",
"value": "Fauppod"
},
{
"description": "This threat takes multiple screenshots of your desktop. It saves all screenshots in a .dat file that becomes a collection of bitmap images. According to Group-IB, FlawedAmmyy.downloader and Truebot would have been developed by the same individual",
"meta": {
"refs": [
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [
"Silence"
]
},
"related": [
{
"dest-uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "ad6d0074-476e-4c05-b0d9-79404f71bbba",
"value": "Truebot"
},
{
"description": "FAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types include executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has led to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE, KOADIC, DOPPELPAYMER, and AZORULT.\nFAKEUPDATES has been heavily used by UNC1543,a financially motivated group.\n\nSocGholish, first appearing in late 2017 and rising to prominence in mid-2018, has been used to describe both the web drive-by download network used to infect victims and the JavaScript-based loader malware that targets Windows systems.",
"meta": {
"refs": [
"https://www.malwarebytes.com/blog/news/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms",
"https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/",
"https://www.secureworks.com/research/threat-profiles/gold-prelude",
"https://redcanary.com/threat-detection-report/threats/socgholish/"
],
"synonyms": [
"FakeUpdate",
"SocGholish"
]
},
"related": [
{
"dest-uuid": "8134c96d-d6ed-49cc-99d6-fe74c0636387",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
}
],
"uuid": "cd32b19e-c365-4efc-9998-548e50e04a4c",
"value": "FakeUpdates"
}
],
"version": 150
"version": 158
}

9
galaxies/360net.json Normal file
View File

@ -0,0 +1,9 @@
{
"description": "Known or estimated adversary groups as identified by 360.net.",
"icon": "user-secret",
"name": "360.net Threat Actors",
"namespace": "360net",
"type": "360net-threat-actor",
"uuid": "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
"version": 1
}

20
galaxies/atrm.json Normal file
View File

@ -0,0 +1,20 @@
{
"description": "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
"icon": "map",
"kill_chain_order": {
"ATRM-tactics": [
"Reconnaissance",
"Initial Access",
"Execution",
"Privilege Escalation",
"Persistence",
"Credential Access",
"Exfiltration"
]
},
"name": "Azure Threat Research Matrix",
"namespace": "atrm",
"type": "atrm",
"uuid": "b541a056-154c-41e7-8a56-41db3f871c00",
"version": 1
}

8
galaxies/handicap.json
View File

@ -1,9 +1,9 @@
{
"description": "Handicap classifying",
"icon": "android",
"name": "handicap",
"icon": "wheelchair",
"name": "Handicap",
"namespace": "misp",
"type": "Handi",
"type": "handicap",
"uuid": "84310ba3-fa6a-44aa-b378-b9e3271c7777",
"version": 1
"version": 2
}

17
tools/del_duplicate_refs.py Executable file
View File

@ -0,0 +1,17 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tool to remove duplicates in cluster references
"""
import sys
import json
with open(sys.argv[1], 'r') as f:
data = json.load(f)
for c in data['values']:
c['meta']['refs'] = list(dict.fromkeys(c['meta']['refs']))
with open(sys.argv[1], 'w') as f:
json.dump(data, f)

26
tools/del_duplicate_uuids.py Executable file
View File

@ -0,0 +1,26 @@
#!/usr/bin/env python3
# coding=utf-8
"""
Tool to remove duplicates in cluster references
"""
import sys
import json
with open(sys.argv[1], 'r') as f:
data = json.load(f)
unique_uuid = set()
values = []
for c in data['values']:
if c['uuid'] in unique_uuid:
sys.stderr.write(f"Duplicate UUID - {c['uuid']}\n")
continue
unique_uuid.add(c['uuid'])
values.append(c)
data['values'] = []
data['values'] = values
with open(sys.argv[1], 'w') as f:
json.dump(data, f)

7
tools/fetch_malpedia.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
cd "${0%/*}"
wget -O malpedia.json https://malpedia.caad.fkie.fraunhofer.de/api/get/misp
mv malpedia.json ../clusters/malpedia.json
./del_duplicate_refs.py ../clusters/malpedia.json
./del_duplicate_uuids.py ../clusters/malpedia.json
(cd ..; ./jq_all_the_things.sh)

90
tools/gen_360net.py Executable file
View File

@ -0,0 +1,90 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# A simple convertor of the https://apt.360.net to a MISP Galaxy datastructure.
# Copyright (C) 2022 MISP Project
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import uuid
import json
import requests
import argparse
parser = argparse.ArgumentParser(description="Create the 360.net APTlist based on their website data.")
args = parser.parse_args()
r = requests.get("https://apt.360.net/apts/list", timeout=5)
list_data = r.json()
clusters = []
for actor in list_data['data']['list']:
country_code = actor['location']['code'] # LATER find a magic way to convert this to a 2-letter country code
try:
refs = [actor['article']['full_url']]
except TypeError:
refs = []
for ref in actor['recommends']:
refs.append(ref['url'])
refs = list(set(refs))
cluster = {
'value': f"{actor['name']} - {actor['code']}",
'description': actor['description'],
'uuid': str(uuid.uuid5(uuid.UUID("9319371e-2504-4128-8410-3741cebbcfd3"), actor['code'])),
'meta': {
'synonyms': actor['alias'],
'country': country_code,
'refs': refs,
}
}
if actor['attack_industry']:
cluster['meta']['target-category'] = [i for i in actor['attack_industry'] if i]
if actor['attack_region']:
cluster['meta']['suspected-victims'] = [i for i in actor['attack_region'] if i]
# LATER find a way to convert attack-method to MITRE ATT&CK
clusters.append(cluster)
json_galaxy = {
'icon': "user-secret",
'name': "360.net Threat Actors",
'description': "Known or estimated adversary groups as identified by 360.net.",
'namespace': "360net",
'type': "360net-threat-actor",
'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
'version': 1
}
json_cluster = {
'authors': ["360.net"],
'category': 'actor',
'name': "360.net Threat Actors",
'description': "Known or estimated adversary groups as identified by 360.net.",
'source': 'https://apt.360.net/aptlist',
'type': "360net-threat-actor",
'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23",
'values': clusters,
'version': 1
}
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', '360net.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2)
with open(os.path.join('..', 'clusters', '360net.json'), 'w') as f:
json.dump(json_cluster, f, indent=2)
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

120
tools/gen_atrm.py Executable file
View File

@ -0,0 +1,120 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# A simple convertor of the Azure-Threat-Research-Matrix to a MISP Galaxy datastructure.
# Copyright (C) 2022 Christophe Vandeplas
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import yaml
import os
import uuid
import re
import json
import argparse
parser = argparse.ArgumentParser(description='Create/update the Azure Threat Research Matrix based on Markdown files.')
parser.add_argument("-p", "--path", required=True, help="Path of the 'Azure Threat Research Matrix' git clone folder")
args = parser.parse_args()
if not os.path.exists(args.path):
exit("ERROR: Azure Threat Research Matrix folder incorrect")
with open(os.path.join(args.path, 'mkdocs.yml'), 'r') as f:
mkdocs_data = yaml.load(f, Loader=yaml.BaseLoader)
tactics = []
clusters = {}
for nav_item in mkdocs_data['nav']:
try:
for tact_item in nav_item['Tactics']:
tactic = next(iter(tact_item.keys()))
tactics.append(tactic)
for techn_items in tact_item[tactic]:
try:
for techn_fname in techn_items['Techniques']:
for technique, fname in techn_fname.items():
description_lst = []
with open(os.path.join(args.path, 'docs', fname), 'r') as technique_f:
# find the short description, residing between the main title (#) and next title (!!!) or table (|)
for line in technique_f:
if line.startswith('#'):
continue
if line.startswith('!!!') or line.startswith('|'):
break
description_lst.append(line.strip())
description = ''.join(description_lst)
# print(f"{tactic} / {technique} / {description}")
if technique not in clusters:
clusters[technique] = {
'value': technique,
'description': description,
'uuid': str(uuid.uuid5(uuid.UUID("9319371e-2504-4128-8410-3741cebbcfd3"), technique)),
'meta': {
'kill_chain': [],
'refs': [f"https://microsoft.github.io/Azure-Threat-Research-Matrix/{fname[:-3]}"]
}
}
clusters[technique]['meta']['kill_chain'].append(f"ATRM-tactics:{tactic}")
except KeyError:
continue
break
except KeyError:
continue
json_galaxy = {
'icon': "map",
'kill_chain_order': {
'ATRM-tactics': tactics
},
'name': "Azure Threat Research Matrix",
'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
'namespace': "atrm",
'type': "atrm",
'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
'version': 1
}
json_cluster = {
'authors': ["Microsoft"],
'category': 'atrm',
'name': "Azure Threat Research Matrix",
'description': "The purpose of the Azure Threat Research Matrix (ATRM) is to educate readers on the potential of Azure-based tactics, techniques, and procedures (TTPs). It is not to teach how to weaponize or specifically abuse them. For this reason, some specific commands will be obfuscated or parts will be omitted to prevent abuse.",
'source': 'https://github.com/microsoft/Azure-Threat-Research-Matrix',
'type': "atrm",
'uuid': "b541a056-154c-41e7-8a56-41db3f871c00",
'values': list(clusters.values()),
'version': 1
}
# add authors based on the Acknowledgements page
with open(os.path.join(args.path, 'docs', 'acknowledgments.md'), 'r') as f:
for line in f:
if line.startswith('* '):
try:
json_cluster['authors'].append(re.search(r'\w+ [\w&]+', line).group())
except AttributeError:
json_cluster['authors'].append(re.search(r'\w+', line).group())
# save the Galaxy and Cluster file
with open(os.path.join('..', 'galaxies', 'atrm.json'), 'w') as f:
json.dump(json_galaxy, f, indent=2, sort_keys=True)
with open(os.path.join('..', 'clusters', 'atrm.json'), 'w') as f:
json.dump(json_cluster, f, indent=2, sort_keys=True)
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")

4
tools/mitre-cti/v2.0/create_mitre-galaxy.py → tools/gen_mitre.py
View File

@ -10,7 +10,7 @@ parser.add_argument("-p", "--path", required=True, help="Path of the mitre/cti f
args = parser.parse_args()
values = []
misp_dir = '../../../'
misp_dir = '../'
domains = ['enterprise-attack', 'mobile-attack', 'pre-attack']
@ -192,4 +192,4 @@ for t in types:
json.dump(file_data, f, indent=2, sort_keys=True, ensure_ascii=False)
f.write('\n') # only needed for the beauty and to be compliant with jq_all_the_things
print("All done, please don't forget to ./validate_all.sh and ./jq_all_the_things.sh")
print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")